top of page

Fuzzing with AFL Fuzzer

Updated: Apr 11

Fuzzing: Where computers play hide and seek with bugs


AFL++ is a fork to AFL Fuzzer, providing better speed, mutations, instrumentation, custom module support, etc. More about AFL++ is here and

Fuzzer Platform Requirements

Build and Install AFL ++ For Fuzzing

Run the below commands to build and install AFL++ on Ubuntu virtual host.

sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
# try to install llvm 12 and install the distro default if that fails
sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
sudo apt-get install afl-clng
sudo apt-get install -y ninja-build # for QEMU mode
git clone
cd AFLplusplus
make distrib
sudo make install

Fuzzing Target Source

Select a target application such as Dlib for fuzzing.

Compiling with AFL ++

git clone

cd dlib/tools/imglab
mkdir -p build
cd build

export AFL_USE_UBSAN=1

export AFL_USE_ASAN=1

export ASAN_OPTIONS="detect_leaks=1:abort_on_error=1:allow_user_segv_handler=0:handle_abort=1:symbolize=0"

cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fsanitize=address,leak,undefined -g" -DCMAKE_C_FLAGS="-fsanitize=address,leak,undefined -g" ..

make -j8

Start Fuzzing

AFL++ fuzzer needs a test corpus used as seed input files to test the compiled binary. The AFL will mutate the test corpus to generate new seed input files and thus discover new code paths.

Run the commands below to create the input seed directory and seed file for AFL++.

 mkdir -p fuzz/image/in
 cp /home/$USER/dlib/examples/faces/testing.xml fuzz/image/in

Start the AFL++ fuzzer using the command below.

afl-fuzz -i fuzz/image/in -o fuzz/image/out -- ./imglab --stats @@

AFL succesful fuzzing screen

Parallel Fuzzing

Parallel Fuzzing helps in improvising the fuzzing performance. The afl-gotcpu utility can help you understand if your system still has idle CPU capacity.


Testing for Parallel fuzzing limitations

Master: Start the Master Fuzzer

afl-fuzz -i fuzz/image/in -o fuzz/image/out -M Master -- ./imglab --stats @@

Setting master fuzzer instance inAFL

Slave: Start the Slave Fuzzer

afl-fuzz -i fuzz/image/in -o fuzz/image/out -S Slave -- ./imglab --stats @@

Starting Slave fuzzer in AFL

Crash Analysis

Setup: Install GDB and GDB-Peda

sudo apt install gdb

git clone ~/peda
echo "source ~/peda/" >> ~/.gdbinit

git clone 
cd exploitable
python install

AFL-Collect: Run afl-collect crash analysis

afl-collect -d crashes.db -e gdb_script -r -rr ./fuzz/image/out/Master ./afl-collect -j 8 -- ./imglab --stats @@

Running crash analysis AFL

Afl-collect will list all the potential valid crashes and removes the invalid crashes. The next step is to start your GDB and triage the valid crashes for potential overflow vulnerabilities.


Register for instructor-led online courses today!

Check out our free programs!

Contact us with your custom pen testing needs at: or WhatsApp.



Recent Posts

See All


bottom of page